stackabletech · lfrancke · Sep 17, 2024 · Sep 13, 2024 · Sep 13, 2024 · Sep 13, 2024
diff --git a/.github/workflows/pr_pre-commit.yml b/.github/workflows/pr_pre-commit.yml
@@ -5,7 +5,7 @@ on:
  pull_request:
 
 env:
- HADOLINT_VERSION: "v1.17.6"
+ HADOLINT_VERSION: "v2.12.0"
 
 jobs:
  pre-commit:
@@ -18,6 +18,8 @@ jobs:
  with:
  python-version: '3.12'
  - name: Setup Hadolint
+ # We need to download this here due to a bug in the pre-commit/hadolint setup
+ # https://github.com/hadolint/hadolint/issues/886
  shell: bash
  run: |
  set -euo pipefail

diff --git a/config/versions.yaml b/config/versions.yaml
@@ -7,4 +7,5 @@ rust_version: 1.80.1
 # IMPORTANT
 # If you change the Hadolint version here, make sure to also change the hook
 # refs in the local and template .pre-commit-config.yaml files.
+# And due to a bug you also need to update the version in .github/workflows/pr_pre_commit.yml
 hadolint_version: v2.12.0
diff --git a/template/docker/Dockerfile.j2 b/template/docker/Dockerfile.j2
@@ -1,37 +1,102 @@
+# syntax=docker/dockerfile:1.10.0@sha256:865e5dd094beca432e8c0a1d5e1c465db5f998dca4e439981029b3b81fb39ed5
+# NOTE: The syntax directive needs to be the first line in a Dockerfile
+
 # =============
 # This file is automatically generated from the templates in stackabletech/operator-templating
 # DON'T MANUALLY EDIT THIS FILE
 # =============
+
+# https://docs.docker.com/build/checks/#fail-build-on-check-violations
+# check=error=true
+
 # We want to automatically use the latest. We also don't tag our images with a version.
 # hadolint ignore=DL3007
 FROM oci.stackable.tech/sdp/ubi9-rust-builder:latest AS builder
 
+
 # We want to automatically use the latest.
 # hadolint ignore=DL3007
 FROM registry.access.redhat.com/ubi9/ubi-minimal:latest AS operator
 
 ARG VERSION
 ARG RELEASE="1"
 
-LABEL name="Stackable Operator for {[ operator.pretty_string }]" \
- maintainer="info@stackable.tech" \
- vendor="Stackable GmbH" \
- version="${VERSION}" \
- release="${RELEASE}" \
- summary="Deploy and manage {[ operator.pretty_string }] clusters." \
- description="Deploy and manage {[ operator.pretty_string }] clusters."
+# These are chosen at random and are this high on purpose to have very little chance to clash with an existing user or group on the host system
+ARG STACKABLE_USER_GID="574654813"
+ARG STACKABLE_USER_UID="782252253"
+
+# These labels have mostly been superceded by the OpenContainer spec annotations below but it doesn't hurt to include them
+# http://label-schema.org/rc1/
+LABEL name="Stackable Operator for {[ operator.pretty_string }]"
+LABEL maintainer="info@stackable.tech"
+LABEL vendor="Stackable GmbH"
+LABEL version="${VERSION}"
+LABEL release="${RELEASE}"
+LABEL summary="Deploy and manage {[ operator.pretty_string }] clusters."
+LABEL description="Deploy and manage {[ operator.pretty_string }] clusters."
 
+# Overwriting/Pinning UBI labels
+# https://github.com/projectatomic/ContainerApplicationGenericLabels
+LABEL vcs-ref=""
+LABEL distribution-scope="public"
+LABEL url="https://stackable.tech"
+ARG TARGETARCH
+LABEL architecture="${TARGETARCH}"
+LABEL com.redhat.component=""
+# It complains about it being an invalid label but RedHat uses it and we want to override it and it works....
+# hadolint ignore=DL3048
+LABEL com.redhat.license_terms=""
+LABEL io.buildah.version=""
+LABEL io.openshift.expose-services=""
+
+# https://github.com/opencontainers/image-spec/blob/036563a4a268d7c08b51a08f05a02a0fe74c7268/annotations.md#annotations
+LABEL org.opencontainers.image.authors="info@stackable.tech"
+LABEL org.opencontainers.image.url="https://stackable.tech"
+LABEL org.opencontainers.image.vendor="Stackable GmbH"
+LABEL org.opencontainers.image.licenses="OSL-3.0"
+LABEL org.opencontainers.image.documentation="https://docs.stackable.tech/home/stable/{[ operator.product_string }]/"
+LABEL org.opencontainers.image.version="${VERSION}"
+LABEL org.opencontainers.image.revision="${RELEASE}"
+LABEL org.opencontainers.image.title="Stackable Operator for {[ operator.pretty_string }]"
+LABEL org.opencontainers.image.description="Deploy and manage {[ operator.pretty_string }] clusters."
+
+# https://docs.openshift.com/container-platform/4.16/openshift_images/create-images.html#defining-image-metadata
+# https://github.com/projectatomic/ContainerApplicationGenericLabels/blob/master/vendor/redhat/labels.md
+LABEL io.openshift.tags="ubi9,stackable,sdp,{[ operator.product_string }]"
+LABEL io.k8s.description="Deploy and manage {[ operator.pretty_string }] clusters."
+LABEL io.k8s.display-name="Stackable Operator for {[ operator.pretty_string }]"
+
+RUN <<EOF
 # Update image and install kerberos client libraries
 # install_weak_deps in microdnf does not support the literal "False" as dnf does
 # https://github.com/rpm-software-management/microdnf/blob/a600c62f29262d71a6259b70dc220df65a2ab9b5/dnf/dnf-main.c#L176-L189
+microdnf update
 # NOTE (@NickLarsenNZ): Maybe we should consider pinning package versions?
 # hadolint ignore=DL3041
-RUN microdnf update -y --setopt=install_weak_deps=0 \
- && microdnf install -y --setopt=install_weak_deps=0 \
- krb5-libs \
- libkadm5 \
- && microdnf clean all \
- && rm -rf /var/cache/yum
+microdnf install -y \
+ krb5-libs \
+ libkadm5 \
+ shadow-utils
+
+groupadd --gid ${STACKABLE_USER_GID} --system ${STACKABLE_USER_NAME}
+# The --no-log-init is required to work around a bug/problem in Go/Docker when very large UIDs are used
+# See https://github.com/moby/moby/issues/5419#issuecomment-41478290 for more context
+# Making this a system user prevents a mail dir from being created, expiry of passwords etc. but it will warn:
+# useradd warning: stackable's uid 1000 is greater than SYS_UID_MAX 999
+# We can safely ignore this warning, to get rid of the warning we could change /etc/login.defs but that does not seem worth it
+# We'll leave the home directory hardcoded to /stackable because I don't want to deal with which chars might be valid and which might not in user name vs. directory
+useradd \
+ --no-log-init \
+ --gid ${STACKABLE_USER_GID} \
+ --uid ${STACKABLE_USER_UID} \
+ --system \
+ --create-home \
+ --home-dir /stackable \
+ stackable
+microdnf remove shadow-utils
+microdnf clean all
+rm -rf /var/cache/yum
+EOF
 
 COPY LICENSE /licenses/LICENSE
 
@@ -40,9 +105,7 @@ COPY --from=builder /app/* /usr/local/bin/
 COPY deploy/config-spec/properties.yaml /etc/stackable/{[operator.name}]/config-spec/properties.yaml
 # {[% endif %}]
 
-RUN groupadd -g 1000 stackable && adduser -u 1000 -g stackable -c 'Stackable Operator' stackable
-
-USER stackable:stackable
+USER ${STACKABLE_USER_UID}
 
 ENTRYPOINT ["stackable-{[ operator.name }]"]
 CMD ["run"]